On Thu, 2010-02-18 at 13:40 -0800, Justin P. mattock wrote: > alright... policy is up and running > in full enforcement mode: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: error (Permission denied) > Policy version: 24 > Policy from config file: targeted > > Process contexts: > Current context: name:user_r:user_t > Init context: unknown (Permission denied) Since you ran it from user_t, you weren't allowed to see the context of init. Can you run pstree -Z as sysadm_t and confirm that processes are running in the correct context (i.e. that they are not left in sysadm_t as they were for Alan)? > I tried to enable poly-instantiation support(pam_namespace), but > need to look more into that because I never really set it up > with gdm. You don't really need that unless you want multi-level directories. > Anyways I'm able to boot up, able to > use firefox and evolution. as for anything > else I'm sure just need to define the allow rules. > > > Now the only real area of interest is > the dbus message pointing to targeted. > > I'm guessing dbus was built with a hard wire, > if so this would require rebuilding dbus, > or using anther rpm package built correctly. > (if possible without breaking the system dependencies). > > but then again it could be just a boolean. > In any case main thing is full enforcement works > gdm works, nice system I'd have to say. dbus should just be including whatever path your /etc/dbus-1/system.conf says to include, and it should be relative to /etc/selinux/$SELINUXTYPE from /etc/selinux/config if it has selinux_root_relative="yes" there. On Fedora, /etc/dbus-1/system.conf says: <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
